diff --git a/changelogs/fragments/cve-2020-25646.yml b/changelogs/fragments/cve-2020-25646.yml
new file mode 100644
index 00000000..50e2a6d4
--- /dev/null
+++ b/changelogs/fragments/cve-2020-25646.yml
@@ -0,0 +1,7 @@
+security_fixes:
+- "openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "openssl_privatekey_info - the option ``content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "openssl_publickey - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "openssl_signature - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content`` were not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "x509_crl - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
diff --git a/plugins/modules/openssl_csr.py b/plugins/modules/openssl_csr.py
index dc16b3d8..dcbc5209 100644
--- a/plugins/modules/openssl_csr.py
+++ b/plugins/modules/openssl_csr.py
@@ -1163,7 +1163,7 @@ def main():
             state=dict(type='str', default='present', choices=['absent', 'present']),
             digest=dict(type='str', default='sha256'),
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             privatekey_passphrase=dict(type='str', no_log=True),
             version=dict(type='int', default=1),
             force=dict(type='bool', default=False),
diff --git a/plugins/modules/openssl_privatekey.py b/plugins/modules/openssl_privatekey.py
index 47e3afd0..25b9eaaa 100644
--- a/plugins/modules/openssl_privatekey.py
+++ b/plugins/modules/openssl_privatekey.py
@@ -152,6 +152,8 @@ options:
             - If set to C(yes), will return the (current or generated) private key's content as I(privatekey).
             - Note that especially if the private key is not encrypted, you have to make sure that the returned
               value is treated appropriately and not accidentally written to logs etc.! Use with care!
+            - Use Ansible's I(no_log) task option to avoid the output being shown. See also
+              U(https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-keep-secret-data-in-my-playbook).
         type: bool
         default: no
         version_added: '1.0.0'
diff --git a/plugins/modules/openssl_privatekey_info.py b/plugins/modules/openssl_privatekey_info.py
index f59be86b..c4401c81 100644
--- a/plugins/modules/openssl_privatekey_info.py
+++ b/plugins/modules/openssl_privatekey_info.py
@@ -583,7 +583,7 @@ def main():
     module = AnsibleModule(
         argument_spec=dict(
             path=dict(type='path'),
-            content=dict(type='str'),
+            content=dict(type='str', no_log=True),
             passphrase=dict(type='str', no_log=True),
             return_private_key_data=dict(type='bool', default=False),
             select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),
diff --git a/plugins/modules/openssl_publickey.py b/plugins/modules/openssl_publickey.py
index b3c5568b..daa27a8f 100644
--- a/plugins/modules/openssl_publickey.py
+++ b/plugins/modules/openssl_publickey.py
@@ -395,7 +395,7 @@ def main():
             force=dict(type='bool', default=False),
             path=dict(type='path', required=True),
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             format=dict(type='str', default='PEM', choices=['OpenSSH', 'PEM']),
             privatekey_passphrase=dict(type='str', no_log=True),
             backup=dict(type='bool', default=False),
diff --git a/plugins/modules/openssl_signature.py b/plugins/modules/openssl_signature.py
index 5994dc8d..57bbdc5a 100644
--- a/plugins/modules/openssl_signature.py
+++ b/plugins/modules/openssl_signature.py
@@ -259,7 +259,7 @@ def main():
     module = AnsibleModule(
         argument_spec=dict(
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             privatekey_passphrase=dict(type='str', no_log=True),
             path=dict(type='path', required=True),
             select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'),
diff --git a/plugins/modules/x509_certificate.py b/plugins/modules/x509_certificate.py
index 950e84ce..6d82bcac 100644
--- a/plugins/modules/x509_certificate.py
+++ b/plugins/modules/x509_certificate.py
@@ -2565,7 +2565,7 @@ def main():
 
             # General properties of a certificate
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             privatekey_passphrase=dict(type='str', no_log=True),
 
             # provider: assertonly
@@ -2609,7 +2609,7 @@ def main():
             ownca_path=dict(type='path'),
             ownca_content=dict(type='str'),
             ownca_privatekey_path=dict(type='path'),
-            ownca_privatekey_content=dict(type='str'),
+            ownca_privatekey_content=dict(type='str', no_log=True),
             ownca_privatekey_passphrase=dict(type='str', no_log=True),
             ownca_digest=dict(type='str', default='sha256'),
             ownca_version=dict(type='int', default=3),
diff --git a/plugins/modules/x509_crl.py b/plugins/modules/x509_crl.py
index 2e719956..54adb4fc 100644
--- a/plugins/modules/x509_crl.py
+++ b/plugins/modules/x509_crl.py
@@ -754,7 +754,7 @@ def main():
             path=dict(type='path', required=True),
             format=dict(type='str', default='pem', choices=['pem', 'der']),
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             privatekey_passphrase=dict(type='str', no_log=True),
             issuer=dict(type='dict'),
             last_update=dict(type='str', default='+0s'),